Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account.
Attacker's Goals
Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.
Investigative actions
Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.
Variations
A user accessed multiple resources via SSO using an anonymized proxySuspicious user access to multiple resources via SSO